|
 |
81d632 |
From 27bd0925c556ff69ce5db306f513eb4e4e7d4c7e Mon Sep 17 00:00:00 2001
|
|
|
81d632 |
From: Andreas Schneider <asn@samba.org>
|
|
|
81d632 |
Date: Mon, 19 Feb 2018 18:07:50 +0100
|
|
|
81d632 |
Subject: [PATCH] s3:smbd: Do not crash if we fail to init the session table
|
|
|
81d632 |
|
|
|
81d632 |
This should the following segfault with SMB1:
|
|
|
81d632 |
|
|
|
81d632 |
#6 sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
|
|
|
81d632 |
#7 <signal handler called>
|
|
|
81d632 |
#8 smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8)
|
|
|
81d632 |
at ../source3/smbd/smbXsrv_session.c:1212
|
|
|
81d632 |
#9 0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961
|
|
|
81d632 |
#10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726
|
|
|
81d632 |
#11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0)
|
|
|
81d632 |
at ../source3/smbd/process.c:1762
|
|
|
81d632 |
#12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>,
|
|
|
81d632 |
deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008
|
|
|
81d632 |
#13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608
|
|
|
81d632 |
#14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0
|
|
|
81d632 |
|
|
|
81d632 |
Inspection the core shows that:
|
|
|
81d632 |
conn->client-session_table is NULL
|
|
|
81d632 |
conn->protocol is PROTOCOL_NONE
|
|
|
81d632 |
|
|
|
81d632 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315
|
|
|
81d632 |
|
|
|
81d632 |
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
|
81d632 |
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
|
81d632 |
(cherry picked from commit a89a7146563f2d9eb8bc02f1c090158ee499c878)
|
|
|
81d632 |
---
|
|
|
81d632 |
source3/smbd/negprot.c | 23 ++++++++++++++++++++---
|
|
|
81d632 |
1 file changed, 20 insertions(+), 3 deletions(-)
|
|
|
81d632 |
|
|
|
81d632 |
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
|
|
|
81d632 |
index d3f4776076f..70249f7b446 100644
|
|
|
81d632 |
--- a/source3/smbd/negprot.c
|
|
|
81d632 |
+++ b/source3/smbd/negprot.c
|
|
|
81d632 |
@@ -65,6 +65,8 @@ static void reply_lanman1(struct smb_request *req, uint16_t choice)
|
|
|
81d632 |
time_t t = time(NULL);
|
|
|
81d632 |
struct smbXsrv_connection *xconn = req->xconn;
|
|
|
81d632 |
uint16_t raw;
|
|
|
81d632 |
+ NTSTATUS status;
|
|
|
81d632 |
+
|
|
|
81d632 |
if (lp_async_smb_echo_handler()) {
|
|
|
81d632 |
raw = 0;
|
|
|
81d632 |
} else {
|
|
|
81d632 |
@@ -88,7 +90,11 @@ static void reply_lanman1(struct smb_request *req, uint16_t choice)
|
|
|
81d632 |
SSVAL(req->outbuf,smb_vwv11, 8);
|
|
|
81d632 |
}
|
|
|
81d632 |
|
|
|
81d632 |
- smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN1);
|
|
|
81d632 |
+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN1);
|
|
|
81d632 |
+ if (!NT_STATUS_IS_OK(status)) {
|
|
|
81d632 |
+ reply_nterror(req, status);
|
|
|
81d632 |
+ return;
|
|
|
81d632 |
+ }
|
|
|
81d632 |
|
|
|
81d632 |
/* Reply, SMBlockread, SMBwritelock supported. */
|
|
|
81d632 |
SCVAL(req->outbuf,smb_flg, FLAG_REPLY|FLAG_SUPPORT_LOCKREAD);
|
|
|
81d632 |
@@ -115,6 +121,8 @@ static void reply_lanman2(struct smb_request *req, uint16_t choice)
|
|
|
81d632 |
time_t t = time(NULL);
|
|
|
81d632 |
struct smbXsrv_connection *xconn = req->xconn;
|
|
|
81d632 |
uint16_t raw;
|
|
|
81d632 |
+ NTSTATUS status;
|
|
|
81d632 |
+
|
|
|
81d632 |
if (lp_async_smb_echo_handler()) {
|
|
|
81d632 |
raw = 0;
|
|
|
81d632 |
} else {
|
|
|
81d632 |
@@ -140,7 +148,11 @@ static void reply_lanman2(struct smb_request *req, uint16_t choice)
|
|
|
81d632 |
SSVAL(req->outbuf,smb_vwv11, 8);
|
|
|
81d632 |
}
|
|
|
81d632 |
|
|
|
81d632 |
- smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN2);
|
|
|
81d632 |
+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN2);
|
|
|
81d632 |
+ if (!NT_STATUS_IS_OK(status)) {
|
|
|
81d632 |
+ reply_nterror(req, status);
|
|
|
81d632 |
+ return;
|
|
|
81d632 |
+ }
|
|
|
81d632 |
|
|
|
81d632 |
/* Reply, SMBlockread, SMBwritelock supported. */
|
|
|
81d632 |
SCVAL(req->outbuf,smb_flg,FLAG_REPLY|FLAG_SUPPORT_LOCKREAD);
|
|
|
81d632 |
@@ -260,6 +272,7 @@ static void reply_nt1(struct smb_request *req, uint16_t choice)
|
|
|
81d632 |
struct smbXsrv_connection *xconn = req->xconn;
|
|
|
81d632 |
bool signing_desired = false;
|
|
|
81d632 |
bool signing_required = false;
|
|
|
81d632 |
+ NTSTATUS status;
|
|
|
81d632 |
|
|
|
81d632 |
xconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords();
|
|
|
81d632 |
|
|
|
81d632 |
@@ -337,7 +350,11 @@ static void reply_nt1(struct smb_request *req, uint16_t choice)
|
|
|
81d632 |
SSVAL(req->outbuf,smb_vwv0,choice);
|
|
|
81d632 |
SCVAL(req->outbuf,smb_vwv1,secword);
|
|
|
81d632 |
|
|
|
81d632 |
- smbXsrv_connection_init_tables(xconn, PROTOCOL_NT1);
|
|
|
81d632 |
+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_NT1);
|
|
|
81d632 |
+ if (!NT_STATUS_IS_OK(status)) {
|
|
|
81d632 |
+ reply_nterror(req, status);
|
|
|
81d632 |
+ return;
|
|
|
81d632 |
+ }
|
|
|
81d632 |
|
|
|
81d632 |
SSVAL(req->outbuf,smb_vwv1+1, lp_max_mux()); /* maxmpx */
|
|
|
81d632 |
SSVAL(req->outbuf,smb_vwv2+1, 1); /* num vcs */
|
|
|
81d632 |
--
|
|
|
81d632 |
2.16.2
|
|
|
81d632 |
|